Description
CWE-78 Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability exists that could allow unauthorized execution of commands with elevated privileges, impacting system integrity, confidentiality, and availability when a privileged authenticated user interacts with a vulnerable network-exposed service.
Published: 2026-06-25
Score: 8.6 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an OS command injection flaw in Schneider Electric PowerLogic™ P7’s network‑exposed service. It allows an attacker who has gained privileged authenticated access to inject arbitrary commands, resulting in elevated privileges and potential compromise of system integrity, confidentiality, and availability.

Affected Systems

Schneider Electric PowerLogic™ P7 devices are affected. No specific firmware or serial versions are listed in the vendor data.

Risk and Exploitability

The CVSS score of 8.6 indicates high severity. EPSS data is unavailable, so the current likelihood of exploitation remains uncertain. The flaw is not listed in CISA KEV, suggesting no publicly known, active exploitation at this time. The attack vector requires a privileged authenticated user to interact with the vulnerable service, implying that an attacker must already have some level of authorized access before exploiting the command injection. If successful, the exploited commands would run with the privileges of the authenticated user, enabling broader system compromise.

Generated by OpenCVE AI on June 25, 2026 at 16:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor‑issued firmware or software update that addresses the command‑execution flaw.
  • Restrict network exposure of the affected service by limiting ingress to trusted IP ranges or by placing the device behind a firewall that blocks unauthenticated traffic.
  • Enforce the principle of least privilege for accounts that can access the service; remove unnecessary administrative rights and consider separating user roles for production maintenance.

Generated by OpenCVE AI on June 25, 2026 at 16:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 25 Jun 2026 17:00:00 +0000

Type Values Removed Values Added
Title OS Command Injection in Schneider Electric PowerLogic P7 Network Service

Thu, 25 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 25 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
Description CWE-78 Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability exists that could allow unauthorized execution of commands with elevated privileges, impacting system integrity, confidentiality, and availability when a privileged authenticated user interacts with a vulnerable network-exposed service.
Weaknesses CWE-78
References
Metrics cvssV4_0

{'score': 8.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: schneider

Published:

Updated: 2026-06-25T15:50:30.499Z

Reserved: 2026-05-27T16:02:10.875Z

Link: CVE-2026-9717

cve-icon Vulnrichment

Updated: 2026-06-25T15:50:27.524Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T16:45:03Z

Weaknesses
  • CWE-78

    Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')